bg-tutorials

How to Install an SSL Certificate on Synology NAS

This tutorial shows you how to install an SSL certificate on a Synology NAS running DSM 7. You will import your certificate files, assign the certificate to your DSM and other services, and force HTTPS.

Generate a CSR code on Synology NAS

To apply for a certificate, you first create a Certificate Signing Request (CSR), a block of encoded text that holds your domain and organization details, and send it to the Certificate Authority (CA). You have two options:

Submit the CSR to the Certificate Authority during your order. After the CA validates it and issues your certificate, continue with the installation below.

Install an SSL certificate on Synology NAS

Before you start, make sure you have these three files ready:

  • Your certificate: the .crt file from the ZIP archive the CA sent you.
  • Intermediate certificate: the CA bundle file from the same ZIP archive (the CA bundle).
  • Private key: the .key file you generated together with the CSR.

The screens below describe DSM 7, the current Synology operating system. Earlier DSM versions follow a similar path with slightly different labels.

Step 1: Open the Certificate panel

Log in to DSM as an administrator and go to Control Panel > Security > Certificate.

Step 2: Start a new import

Click Add. In the window that opens, select Add a new certificate and click Next.

Step 3: Choose “Import certificate”

Select Import certificate and tick Set as default certificate so DSM uses it for connections that are not bound to a specific certificate. You can leave the Description field blank or give the certificate a name to tell it apart from others. Click Next.

Step 4: Upload the three files

In the Import Certificate window, use the Browse buttons to attach each file to the matching field:

  • Private Key: your .key file.
  • Certificate: your .crt file.
  • Intermediate Certificate: the CA bundle file.

Match each file to the correct field. Loading the certificate into the key field, or skipping the intermediate certificate, is the usual cause of a “not trusted” warning later. Click OK to import. DSM restarts its web server to apply the new certificate, so the interface may be briefly unavailable.

Step 5: Assign the certificate to your services

Importing the certificate is not the last step. You still need to tell each service which certificate to use. Back on the Certificate screen, click Settings. In the Configure tab, you will see your services (DSM desktop, Web Station, mail, FTP, and others) next to a certificate drop-down. For each service that should use the new certificate, open the drop-down and select it, then click OK.

If you ticked Set as default certificate in Step 3, services without an explicit assignment already use the new certificate, but it is worth confirming the DSM desktop and any web services point to the right one.

Step 6: Force a secure connection

To make sure visitors always reach the secure version, redirect HTTP to HTTPS:

  • Go to Control Panel > Login Portal.
  • On the DSM tab, tick Automatically redirect HTTP connections to HTTPS for DSM desktop.
  • Click Save (or Apply).

The DSM desktop now loads only over HTTPS. Web Station sites are handled separately, in their own portal settings.

Your SSL certificate is now installed on your Synology NAS.

Free option: get a Let’s Encrypt certificate in DSM

DSM 7 can issue a free Let’s Encrypt certificate directly, with no CSR and no manual import. It renews itself automatically before expiry, which removes the 90-day renewal chore. It works best when your NAS is reachable from the internet on the matching domain.

  • Go to Control Panel > Security > Certificate, click Add, then Add a new certificate.
  • Select Get a certificate from Let’s Encrypt and click Next.
  • Enter your Domain name and a contact Email. Add any extra hostnames under Subject Alternative Name, then finish.

For domain validation, your NAS and router must allow inbound port 80 from the internet. DSM uses the same connection to renew the certificate automatically. After it is issued, assign it to your services with Settings > Configure, the same way as an imported certificate.

Choose Let’s Encrypt for free DSM and internal services. Choose a purchased certificate when you need Organization or Extended Validation, a wildcard across many subdomains, a longer validity term, or a warranty and vendor support.

Test your SSL installation

After installation, check the certificate and chain so you catch a missing intermediate or a wrong assignment early. Open your NAS address in a browser over HTTPS and check the padlock, then run a deeper scan with our SSL Checker.

If you have OpenSSL on another computer, you can read the certificate your NAS serves directly. Replace the host and port with your own (DSM usually listens on 5001 for HTTPS):

echo | openssl s_client -connect your-nas-address:5001 -servername your-nas-address 2>/dev/null | openssl x509 -noout -issuer -subject -dates

This prints the issuer, the subject, and the validity dates. A real Certificate Authority in the issuer line (rather than the NAS itself) confirms your imported certificate is being served.

Frequently Asked Questions

Why is my Synology certificate not trusted?

A browser shows a “not trusted” warning when the certificate is self-signed, expired, or served without its intermediate certificate. Confirm you imported a valid certificate from a public CA and that the Intermediate Certificate (CA bundle) was uploaded with it. If the chain is incomplete, re-import the certificate with the intermediate file in place.

How do I get an SSL certificate for a NAS?

You have two routes. Buy a certificate from a Certificate Authority and import it under Control Panel > Security > Certificate, or use the built-in Get a certificate from Let’s Encrypt option in DSM 7 for a free certificate that renews automatically. A purchased certificate makes sense when you need Organization or Extended Validation, a wildcard, or a warranty.

Why didn’t my new certificate apply to a service?

Importing a certificate does not automatically attach it to every service. Open Control Panel > Security > Certificate, click Settings, and in the Configure tab set each service (DSM desktop, Web Station, mail, FTP) to the correct certificate from the drop-down. Setting a certificate as default covers only services without an explicit assignment.

What is the best way to secure a Synology NAS?

Beyond installing a certificate and forcing HTTPS, use strong administrator passwords, enable two-factor authentication, keep DSM and packages updated, restrict admin access by IP or account, and use secure protocols such as SFTP instead of plain FTP.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.